Home | History | Annotate | Download | only in public 
      1 # vendor_init is its own domain.
      2 type vendor_init, domain, mlstrustedsubject;
      3 
      4 # Communication to the main init process
      5 allow vendor_init init:unix_stream_socket { read write };
      6 
      7 # Vendor init shouldn't communicate with any vendor process, nor most system processes.
      8 neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
      9 
     10 # Logging to kmsg
     11 allow vendor_init kmsg_device:chr_file { open write };
     12 
     13 # Mount on /dev/usb-ffs/adb.
     14 allow vendor_init device:dir mounton;
     15 
     16 # Create and remove symlinks in /.
     17 allow vendor_init rootfs:lnk_file { create unlink };
     18 
     19 # Create cgroups mount points in tmpfs and mount cgroups on them.
     20 allow vendor_init cgroup:dir create_dir_perms;
     21 
     22 # /config
     23 allow vendor_init configfs:dir mounton;
     24 allow vendor_init configfs:dir create_dir_perms;
     25 allow vendor_init configfs:{ file lnk_file } create_file_perms;
     26 
     27 # Create directories under /dev/cpuctl after chowning it to system.
     28 allow vendor_init self:global_capability_class_set dac_override;
     29 
     30 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
     31 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
     32 # system/core/init.rc requires at least cache_file and data_file_type.
     33 # init.<board>.rc files often include device-specific types, so
     34 # we just allow all file types except /system files here.
     35 allow vendor_init self:global_capability_class_set { chown fowner fsetid };
     36 
     37 # mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
     38 allow vendor_init unencrypted_data_file:dir search;
     39 allow vendor_init unencrypted_data_file:file r_file_perms;
     40 
     41 allow vendor_init system_data_file:dir getattr;
     42 
     43 allow vendor_init {
     44   file_type
     45   -core_data_file_type
     46   -exec_type
     47   -system_file
     48   -unlabeled
     49   -vendor_file_type
     50   -vold_metadata_file
     51 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
     52 
     53 allow vendor_init {
     54   file_type
     55   -core_data_file_type
     56   -exec_type
     57   -runtime_event_log_tags_file
     58   -system_file
     59   -unlabeled
     60   -vendor_file_type
     61   -vold_metadata_file
     62 }:file { create getattr open read write setattr relabelfrom unlink };
     63 
     64 allow vendor_init {
     65   file_type
     66   -core_data_file_type
     67   -exec_type
     68   -system_file
     69   -unlabeled
     70   -vendor_file_type
     71   -vold_metadata_file
     72 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
     73 
     74 allow vendor_init {
     75   file_type
     76   -core_data_file_type
     77   -exec_type
     78   -system_file
     79   -unlabeled
     80   -vendor_file_type
     81   -vold_metadata_file
     82 }:lnk_file { create getattr setattr relabelfrom unlink };
     83 
     84 allow vendor_init {
     85   file_type
     86   -core_data_file_type
     87   -exec_type
     88   -system_file
     89   -vendor_file_type
     90   -vold_metadata_file
     91 }:dir_file_class_set relabelto;
     92 
     93 allow vendor_init dev_type:dir create_dir_perms;
     94 allow vendor_init dev_type:lnk_file create;
     95 
     96 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
     97 allow vendor_init debugfs_tracing:file w_file_perms;
     98 
     99 # chown/chmod on pseudo files.
    100 allow vendor_init {
    101   fs_type
    102   -contextmount_type
    103   -sdcard_type
    104   -rootfs
    105   -proc_uid_time_in_state
    106   -proc_uid_concurrent_active_time
    107   -proc_uid_concurrent_policy_time
    108 }:file { open read setattr };
    109 
    110 allow vendor_init {
    111   fs_type
    112   -contextmount_type
    113   -sdcard_type
    114   -rootfs
    115   -proc_uid_time_in_state
    116   -proc_uid_concurrent_active_time
    117   -proc_uid_concurrent_policy_time
    118 }:dir  { open read setattr search };
    119 
    120 # chown/chmod on devices, e.g. /dev/ttyHS0
    121 allow vendor_init {
    122   dev_type
    123   -kmem_device
    124   -port_device
    125   -lowpan_device
    126   -hw_random_device
    127 }:chr_file setattr;
    128 
    129 allow vendor_init dev_type:blk_file getattr;
    130 
    131 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
    132 r_dir_file(vendor_init, proc_net)
    133 allow vendor_init proc_net:file w_file_perms;
    134 allow vendor_init self:global_capability_class_set net_admin;
    135 
    136 # Write to /proc/sys/vm/page-cluster
    137 allow vendor_init proc_page_cluster:file w_file_perms;
    138 
    139 # Write to sysfs nodes.
    140 allow vendor_init sysfs_type:dir r_dir_perms;
    141 allow vendor_init sysfs_type:lnk_file read;
    142 allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
    143 
    144 # setfscreatecon() for labeling directories and socket files.
    145 allow vendor_init self:process { setfscreate };
    146 
    147 r_dir_file(vendor_init, vendor_file_type)
    148 
    149 # Vendor init can read properties
    150 allow vendor_init serialno_prop:file { getattr open read };
    151 
    152 # Vendor init can perform operations on trusted and security Extended Attributes
    153 allow vendor_init self:global_capability_class_set sys_admin;
    154 
    155 # Raw writes to misc block device
    156 allow vendor_init misc_block_device:blk_file w_file_perms;
    157 
    158 not_compatible_property(`
    159     set_prop(vendor_init, {
    160       property_type
    161       -restorecon_prop
    162       -netd_stable_secret_prop
    163       -firstboot_prop
    164       -pm_prop
    165       -system_boot_reason_prop
    166       -bootloader_boot_reason_prop
    167       -last_boot_reason_prop
    168     })
    169 ')
    170 
    171 set_prop(vendor_init, bluetooth_a2dp_offload_prop)
    172 set_prop(vendor_init, debug_prop)
    173 set_prop(vendor_init, exported_bluetooth_prop)
    174 set_prop(vendor_init, exported_config_prop)
    175 set_prop(vendor_init, exported_dalvik_prop)
    176 set_prop(vendor_init, exported_default_prop)
    177 set_prop(vendor_init, exported_ffs_prop)
    178 set_prop(vendor_init, exported_overlay_prop)
    179 set_prop(vendor_init, exported_pm_prop)
    180 set_prop(vendor_init, exported_radio_prop)
    181 set_prop(vendor_init, exported_system_radio_prop)
    182 set_prop(vendor_init, exported_wifi_prop)
    183 set_prop(vendor_init, exported2_config_prop)
    184 set_prop(vendor_init, exported2_system_prop)
    185 set_prop(vendor_init, exported2_vold_prop)
    186 set_prop(vendor_init, exported3_default_prop)
    187 set_prop(vendor_init, exported3_radio_prop)
    188 set_prop(vendor_init, logd_prop)
    189 set_prop(vendor_init, log_tag_prop)
    190 set_prop(vendor_init, log_prop)
    191 set_prop(vendor_init, serialno_prop)
    192 set_prop(vendor_init, vendor_default_prop)
    193 set_prop(vendor_init, vendor_security_patch_level_prop)
    194 set_prop(vendor_init, wifi_log_prop)
    195 
    196 get_prop(vendor_init, exported2_radio_prop)
    197 get_prop(vendor_init, exported3_system_prop)
    198